Bug 760877

Summary: unixODBC64: Various kinds of defects found found in new package.
Product: Red Hat Enterprise Linux 7 Reporter: Pavel Raiskup <praiskup>
Component: unixODBCAssignee: Tom Lane <tgl>
Status: CLOSED CURRENTRELEASE QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: azelinka, hhorak, kvolny, ohudlick, ovasik
Target Milestone: rc   
Target Release: 7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-19 18:28:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
fixes for the most obvious errors none

Description Pavel Raiskup 2011-12-07 09:18:57 UTC
1. bad use of sizeof

   => DriverManager/__info.c:3978

   It looks like there should be used sizeof(*error_header) instead of
   sizeof(error_header).

   | void setup_error_head( EHEAD *error_header, void *handle, int type )
   | {
   |-    memset( error_header, 0, sizeof( error_header ));
   |+    memset( error_header, 0, sizeof( *error_header ));
   |
   |     error_header -> owning_handle = handle;
   |     error_header -> handle_type = type;

2. Bad negation of comparison.

   => DriverManager/SQLGetCursorName.c:188
   => DriverManager/SQLGetCursorNameW.c:171

   Result of '!buffer_length' is always 0 or 1. Never can be less than 0.

   | @@ -185,7 +185,7 @@ SQLRETURN SQLGetCursorName( SQLHSTMT statement_h..,
   |
   |      thread_protect( SQL_HANDLE_STMT, statement );
   |
   | -    if ( !buffer_length < 0 )
   | +    if ( !(buffer_length < 0) )
   |      {
   |          dm_log_write( __FILE__,
   |              __LINE__,

3. Defect in Working with list

   => DriverManager/SQLConnect.c:2393

   The variable 'env_lib_list' really looks like it may be equal to NULL,
   even if 'env_lib_prev' is non-NULL.

   Here is the case: (after that the while's breake will be achieved)

   | @@ -2303,6 +2303,9 @@ static void release_env( DMHDBC connection )
   |                  }
   |                  env_lib_prev = env_lib_list;
   |                  env_lib_list = env_lib_list -> next;
   | +                //             this is it:     ^^^^
   | +                // env_lib_list goes to NULL but env_lib_prev stays
   | +                // non-NULL
   |              }
   |          }

4. Null dereference when error handling..

   => Drivers/template/SQLAllocStmt.c:24

   dereference of NULL pointer hDbc (hDbc->hLog).

5. Null dereference.

   => Drivers/template/SQLDescribeCol.c:49

   dereference of the variable 'szColname' as strcpy target.

6. Null dereference

   => cur/SQLAllocStmt.c:74

   | if (!cl_statement) {
   |     cl_statement -> cl_connection -> ...
   | }

7. Missing break statement_handle

   => exe/isql.c:103

   when '-3' parameter is passed it really looks that verbose mode is turned
   on because of falling through this..

8. Static overrun

   => Drivers/Postgre7.1/info.c1010

   | @@ -1007,7 +1007,7 @@ mylog("%s: entering...stmt=%u\n", func, stmt);
   |     strcpy(prefixes, globals.extra_systable_prefixes);
   |     i = 0;
   |     prefix[i] = strtok(prefixes, ";");
   | -   while (prefix[i] && i<32) {
   | +   while (prefix[i] && i<31) {
   |         prefix[++i] = strtok(NULL, ";");
   |     }

9. Static overrun

   => Drivers/nn/convert.c:248/434

   Bad walk through sqltype_idx_tab. It has only 7 items.

10. Sizeof mismatch

   => DriverManager/SQLGetStmtAttrW.c:322|329|336

   Memcpy on line 322 will copy only first 8 bytes from statement->apd into
   value pointer destination.

   | memcpy( value, &statement -> apd, sizeof( SQLHANDLE ));

11. Stray semicolon

   => cur/SQLBindCol.c:89

12. Missing return statement

  => unixODBC-2.2.14/exe/isql.c:552

13. Array 'salt' is not initialized and is used

  => Drivers/PostgreSQL/results.c:743

  | crypt( ci -> password, salt );
                           ^^^^

Comment 8 RHEL Program Management 2012-06-12 01:19:06 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 9 Tom Lane 2013-03-19 15:28:36 UTC
RHEL-5 has now entered production phase 2, in which only security and other critical bugs will be addressed.  It doesn't look like any of these count as critical bugs.  (Note that the worst ones are in the built-in drivers, which we consider deprecated anyway --- people should use mysql-connector-odbc64 or postgresql-odbc64.)  Moving to RHEL-7 (and reassigning to unixODBC) where we can fix the remaining issues promptly.

Comment 11 Tom Lane 2013-03-19 18:28:59 UTC
Fixes pushed into F19, so they'll be there in RHEL-7.